CLAIMS 

What is claimed is: 



1 1 . A communication switch comprising: 

2 at least one input for receiving messages, each message including, 

3 an address specifier, and 

4 a port specifier; 

5 a traffic analyzer for comparing the port specifier of a first message against the port specifiers 

6 of previously received messages; and 

7 an output for reporting a result of the comparing. 

1 2. The communication switch of claim 1 further comprising: 

2 H a usage tracking system for throttling traffic through the communication switch. 

K J: 

1 11 3. The communication switch of claim 2 wherein: 

2 M; the usage tracking system includes means for throttling traffic according to address specifier 

3 f y and port specifier in combination. 

1 JU 4. The communication switch of claim 2 wherein: 

2 %y the usage tracking system includes means for throttling traffic according to a predetermined 

3 tn maximum aggregate bandwidth for the communication switch. 

1 ? ~ 5. The communication switch of claim 1 wherein: 

2 the traffic analyzer is further for reporting fraud over the output. 

1 6. The communication switch of claim 1 wherein: 

2 the traffic analyzer is further for comparing the address specifier and port specifier 

3 combination of the first message against the address specifier and port specifier combinations of the 

4 previously seen messages. 

1 7. The communication switch of claim 1 wherein: 

2 each message further includes, 

3 a traffic type specifier; and 
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4 the traffic analyzer is further for comparing the traffic type specifier of the first message 

5 against the traffic type specifiers of the previously received messages. 

1 8. The communication switch of claim 1 wherein: 

2 each message further includes, 

3 a traffic type specifier; and 

4 the traffic analyzer is further for comparing the address specifier, port specifier, and traffic 

5 type specifier of the first message against the address specifier, port specifier, and traffic type 

6 specifier combinations of the previously received messages, 

1 9. A server for use with a communication switch, the server comprising: 

2 an I/O for communicating messages and alerts between the communication switch and the 

3 server; 

4 C3 a billing system for providing a maximum bandwidth indication to the communication 

5 rQ switch; and 

6 lZ a fraud detection system for receiving fraud alerts from the communication switch, 

1 fU 10. The server of claim 9 wherein: 

2 ~ the fraud detection system is responsive to fraud alerts indicating excessive traffic on an 

3 ;H address:port combination at the communication switch. 

1 |FI 11, The server of claim 10 wherein: 

2 £1 the fraud detection system is further responsive to fraud alerts indicating a likelihood of IP 

3 masquerading. 

1 12. The server of claim 10 wherein: 

2 the fraud detection system is responsive to fraud alerts based upon address:port:type 

3 combination. 

1 13. A method comprising: 

2 receiving a message which includes an address:port identifier; 

3 comparing the address:port identifier against previously received messages' address:port 

4 identifiers; and 
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determining whether excessive traffic is originating from a source identified by the 
address :port identifier. 

14. The method of claim 13 further comprising: 

throttling message traffic in response to determining that excessive traffic is originating from 
the source. 

15. The method of claim 14 wherein the throttling comprises: 
throttling message traffic to and/or from that source. 

16. The method of claim 13 wherein the message further includes a type specifier, the method 
further comprising: 

comparing the type specifier against type specifiers of previously received messages from the 
same address:port as the message; and 

determining whether the source is issuing messages of different types such as indicate fraud. 

17. The method of claim 16 further comprising: 

sending a fraud alert in response to determining that the source is issuing messages of 
different types such as indicate fraud. 

18. The method of claim 1 3 further comprising: 

recording the message for use in future comparisons against future messages. 

19. The method of claim 13 further comprising: 
receiving an indication of a maximum bandwidth; and 

throttling message traffic in response to the indication of the maximum bandwidth. 

20. A customer premises gateway for communicating with an ISP premises head-end server, the 
customer premises gateway comprising: 

at least one first I/O each for connecting to a communication device; 

a second I/O for connecting to the ISP premises head-end server; and 

a traffic analyzer coupled to the at least one first I/O and the second I/O, including 

a port identifier comparator, 

a throttling mechanism, and 



Docket No. 42390. P 



Page 10 



phone (408) 720-8598 



8 a fraud reporter. 

1 21. The customer premises gateway of claim 20 wherein the traffic analyzer further includes: 

2 a message type analyzer. 

1 22. A machine accessible medium including therein instructions which, when executed by the 

2 machine, cause the machine to: 

3 compare a first address:port combination of a message against a second address :port 

4 combination of a previously received message; and 

5 responsive to the address:port comparison, determine whether excessive traffic is going 

6 to/from the first address:port combination. 

1 23. The machine accessible medium of claim 22 further including therein instructions which, 

2 when executed by the machine, cause the machine to further: 

3 □ throttle traffic to/from the first address:port combination. 

1 [I 24. The machine accessible medium of claim 23 further including therein instructions which, 

2 I* when executed by the machine, cause the machine to further: 

3 fa report fraud. 

1 *~ 25. The machine accessible medium of claim 22 further including therein instructions which, 

2 M when executed by the machine, cause the machine to further: 

3 n compare a first type specifier of the message against a second type specifier of the previously 

4 fSS received message; and 

5 responsive to the type specifier comparison, determine whether the first address:port 

6 identifies a router performing address:port masquerading. 

1 26. The machine accessible medium of claim 25 further including therein instructions which, 

2 when executed by the machine, cause the machine to further: 

3 report the masquerading. 

1 27. A method for a communication switch to detect that a device connected to the 

2 communication switch is a router, comprising: 

3 receiving from the device a message including address and sub-address identifiers; 
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4 comparing the address and sub-address identifiers against one or more previously received 

5 messages; and 

6 detecting that the address and sub-address identifiers indicate that the device is performing 

7 masquerading. 

1 28. The method of claim 27 wherein the detecting comprises: 

2 observing a first message type indicator in the message and a different message type indicator 

3 in at least one of the previously received messages. 

1 29. The method of claim 27 further comprising: 

2 recording the address and sub-address identifiers of the message; 

3 receiving a second message; and 

4 comparing the second message's address and sub-address identifiers against the recorded 

5 12 address and sub-address identifiers. 

1 30. The method of claim 27 wherein: 

2 ^ the address identifier comprises an Internet Protocol address; and 

3 hi the sub-address identifier comprises a port number. 

X fx. 

1 *L 31. The method of claim 27 further comprising: 

2 y responsive to detecting masquerading, sending a fraud alert to a server. 

1 ~ 32. The method of claim 27 further comprising: 

2 throttling message transmission. 

1 33. The method of claim 27 further comprising: 

2 comparing a message type identifier of the message against one or more previously received 

3 messages; and 

4 detecting that the message type identifier of the message is different than a message type 

5 identifier of a previously received message having a same address identifier and a same sub-address 

6 identifier as the message. 

1 34. The method of claim 33 wherein: 

2 the address identifier comprises an Internet Protocol address; 
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the sub-address identifier comprises a port number; and 

the message type identifier comprises one of an HTTP specifier and an FTP specifier. 
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